Cybercriminals are using a new phishing campaign that impersonates “secure messages” from private financial institutions such as Bank of America and TD Commercial banking to deliver malware to unsuspecting victims, security researchers have found. The spoof emails claim to be secure messages from a legitimate banking institution and instruct the user to either download an attached document, reply to the sender or follow a set of instructions.

They also use legitimate-looking bank domains, the institution’s logo and even a confidentiality statement at the bottom of the email to trick the user into believing these are secure message from their bank.

“While these threats appear to be real messages from actual banks, it’s important to understand that the financial institutions mentioned in the emails below haven’t been hacked; however, their names are being used by criminals to persuade recipients to act on the messages,” Barracuda Networks explained in a blog post.

“This is appealing to criminals because the targets are of high value and already trust intimate communications from their banks. Criminals also like that in order for targets to act on these messages, they need to be connected to the internet because the viewing happens in a web portal, which means that they are now vulnerable to downloading malicious content.”

The security researchers said they have observed multiple variations of the same theme over the past month.

“In some instances, these messages have an attached Word document that contains a malicious script that will rewrite the files in the users’ directory on Windows machines once the victim opens the document,” Fleming Shi, senior vice president of technology at Barracuda, wrote.

“Depending on the script in the attachment, there’s a potential for typical anti-virus software to miss the threat altogether because the Word documents contained in these ‘secure messages’ could be benign and allowed to be downloaded or opened when they’re first received.”

Once downloaded onto a victim’s machine, the threat actors can access it or remotely update it later to become something more malicious such as a type of ransomware, an info-stealing malware or another malicious piece of software, the researchers warned.